Overview
Microsoft has disclosed that two vulnerabilities in Windows Defender are under active exploitation in the wild. The more severe of the two — tracked as CVE-2026-41091 — is a privilege escalation flaw rated CVSS 7.8 (High) that allows a local attacker to escalate privileges to SYSTEM level on affected Windows systems.
The second vulnerability is a denial-of-service (DoS) flaw in Defender. Both were confirmed as zero-days, meaning exploitation was observed before patches became available.
The Vulnerabilities
CVE-2026-41091 — Privilege Escalation (Primary Concern)
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-41091 |
| CVSS Score | 7.8 (High) |
| Vulnerability Type | Privilege Escalation |
| Affected Component | Windows Defender |
| Impact | SYSTEM-level privilege escalation |
| Exploitation Status | Actively exploited in the wild |
| Patch Status | Patches being distributed |
Successful exploitation of CVE-2026-41091 allows an attacker who has already obtained a foothold on a Windows system (e.g., via phishing, a separate vulnerability, or malicious software) to escalate their privileges to SYSTEM — the highest privilege level on a Windows machine.
This type of flaw is a critical component of attack chains: threat actors combine an initial access vulnerability with a local privilege escalation (LPE) like CVE-2026-41091 to achieve full system control without requiring initial administrator access.
Second Vulnerability — Denial of Service
A second Defender vulnerability under active exploitation causes a denial-of-service condition, potentially crashing or disabling Windows Defender's protection on affected systems. While less severe than the LPE flaw, disabling the primary endpoint protection on a Windows system is a significant enabler for follow-on attacks.
Why Defender Vulnerabilities Are High-Stakes
Windows Defender occupies a uniquely privileged position in the Windows security architecture:
| Factor | Risk Implication |
|---|---|
| SYSTEM-level privileges | Defender runs with the highest OS privileges — a flaw here enables immediate full system control |
| Universal deployment | Default AV/EDR on all modern Windows — no selective targeting needed |
| Deep kernel integration | Defender's kernel callbacks and ETW hooks provide rich OS access |
| Trusted by security tools | Third-party security software may whitelist Defender processes |
| Always running | No user interaction or specific app usage required to exploit LPE |
An LPE vulnerability in Defender is particularly dangerous because many initial access techniques leave attackers at medium or low integrity — the Defender LPE provides the SYSTEM privileges needed to disable security controls, dump credentials (LSASS), establish persistence in protected locations, and move laterally.
Affected Systems
All Windows versions running unpatched Windows Defender are potentially affected:
- Windows 10 (all currently supported versions)
- Windows 11 (all currently supported versions)
- Windows Server 2019, 2022, and 2025
- Systems managed via Microsoft Defender for Endpoint
Immediate Actions
1. Apply Windows Updates
Ensure Windows Defender's engine is fully updated via Windows Update:
# Force Windows Update scan and installation
UsoClient StartScan
UsoClient StartDownload
UsoClient StartInstall
# Check current Defender engine version
Get-MpComputerStatus | Select-Object AMEngineVersion, AMServiceEnabled, AntivirusEnabled2. Verify Defender Engine Version
# Check engine and signature versions
$status = Get-MpComputerStatus
$status | Select-Object AMEngineVersion, AntivirusSignatureVersion, NISEngineVersion
# Trigger manual signature update
Update-MpSignature3. Review Recent Defender Detections
# Check recent threat detections — look for anomalies around Defender processes
Get-MpThreatDetection | Sort-Object InitialDetectionTime -Descending | Select-Object -First 20
# Check for process anomalies under MsMpEng.exe
Get-Process -Name MsMpEng | Select-Object Id, CPU, WorkingSet, StartTime4. Audit Defender Exclusions
A common post-exploitation step is adding broad Defender exclusions to persist malware:
# Check for tampered Defender exclusions
Get-MpPreference | Select-Object ExclusionPath, ExclusionProcess, ExclusionExtension
# Review Defender service state
Get-Service WinDefend, WdNisSvc, WdFilter | Select-Object Name, Status, StartType5. Enterprise: Force Rapid Engine Deployment
For organizations using Microsoft Defender for Endpoint or Intune:
# SCCM/MECM: trigger engine update via Endpoint Protection Update task sequence
# Intune: create compliance policy requiring latest Defender engine version
# Policy: Endpoint Security > Antivirus > Windows Security
# Verify update compliance across fleet via MDE portal
# Security Center > Vulnerability Management > Recommendations
# Filter: "Windows Defender engine update"Exploitation Context and Attack Chain
The active exploitation of CVE-2026-41091 before patch availability means:
- Threat actors had advance knowledge — likely through independent discovery or purchase on the exploit market
- Initial targets were likely high-value — zero-day use is typically restricted to specific victims before broader deployment
- Post-patch exploitation will surge — weaponized PoC typically appears within 24–72 hours of patch analysis
Typical Attack Chain Using CVE-2026-41091
Initial access (phishing / web exploit / supply chain)
→ Low/medium integrity execution on target system
→ CVE-2026-41091 exploitation → SYSTEM privileges
→ Disable security tools / dump LSASS credentials
→ Establish persistence (registry, services, scheduled tasks)
→ Lateral movement across domain
What to Monitor
| Indicator | Significance |
|---|---|
| Unexpected processes spawned by MsMpEng.exe | Potential code execution via Defender |
| WMI or PowerShell execution from Defender process | Post-exploitation activity |
| Unusual network connections from antimalware service | Data exfiltration or C2 beacon |
| Broad Defender exclusions added unexpectedly | Attacker enabling malware persistence |
| Disabled Defender components | Post-compromise security control removal |
Sources
- The Hacker News — Microsoft Warns of Two Actively Exploited Defender Vulnerabilities